Hello.
I'm interested in Client Authentication in JWS Client Assertion.
It seems that keycloak only support this using private key signing of which "private_key_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
I've expected that keycloak has also supported "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
In org.keycloak.protocol.oidc.OIDCLoginProtocol
// Client authentication methods
public static final String CLIENT_SECRET_BASIC = "client_secret_basic";
public static final String CLIENT_SECRET_POST = "client_secret_post";
public static final String CLIENT_SECRET_JWT = "client_secret_jwt";
public static final String PRIVATE_KEY_JWT = "private_key_jwt";
PRIVATE_KEY_JWT is referred from org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods().
Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is referred from no classes.
Does somebody know why keycloak does not support "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ?
(ex. security concerns, etc ...)
And, does someone know whether there is any plan to implement this "client_secret_jwt" method for Client Authentication in JWS Client Assertion?
Best Regards
Takashi Norimatsu
Hitachi, Ltd.